the evolution of webinjects
DESCRIPTION
Webinject files are now ubiquitous in the banking Trojan world to aid financial fraud. What started as private and malware family dependent code has now blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers for fully functional webinject packages providing all the functionalities required to bypass the latest security measures put forth by financial institutions. Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, going from simple phishing-like functionalities to automatic transfer system (ATS) and two-factor authentication bypass, along with mobile components and full-fledged web control panels to manage money exfiltration through fraudulent money transfers. Nowadays, a malware able to inject arbitrary HTML content in a browser is all that is needed for a resourceful bot master, as he can now outsource practically every other step required to perform successful fraudulent financial transfer. This is confirmed by our recent observation of several malware families using the same webinject kits. Our research will try to answer this question: will we see a consolidation phase leading to the emergence of a few select omnipresent webinject kits, similar to what we have seen in the Web exploit kit scene?TRANSCRIPT
The evolution of webinjects
Jean-Ian Boutin
ESET
• Webinject Evolution
• Webinject Commoditization
• Emergence of Popular Kits
• Webinject Delivery
Outline
Webinject Evolution
• Keyloggers
• Form grabbing
– Inspect GET/POST requests
• Injects are specifically made for one banking Trojan platform
• Only a couple of institutions are available
• Institutions are geo-located
The Beginnings
Keyword indicating which URL is targeted
Popular webinject format
Popular webinject format
Target URL
Popular webinject format
Flags (Get, Post)
Popular webinject format
Keywords specifying where the code should be injected in the webpage
Popular webinject format
Code to inject
• Login grabber
• Injection of additional fields
• Balance grabber/changer
• TAN Grabber
• Full Automatic Transfer Systems (ATS or AZ - avtozaliv)
Increase in Functionalities
Phish-like inject
• Allow transfers to be done automatically
• Inject code able to browse to correct page, fill transfer information, etc
• Not as attractive nowadays due to complexity
Automatic Transfer Systems
• Several form factor exists
Transaction Authorization Number (TAN)
• Inject content tricking the user into entering a TAN
Social Engineering (1/2)
Social Engineering (2/2)• Inject content
tricking the user into installing a malicious application
Popular Webservices Targeted
• Extra content is injected as soon as user logs into his account
• Usually phishing-like webinjects
Webinject Commoditization
Custom Tools
Cheap Webinjects
ATS
• Some webinject seller can include android components to bypass mTAN
Panels
• Some scripts with advanced capabilities come with an administration panel
• Two types of offering for webinject
– Public
– Private
• Partnership, where the revenue can be shared, are also mentioned by some inject coders
Public/Private webinject and Partnerships
Emergence of Popular Kits
ATSEngine
• ATSEngine panel screenshots
• Seen in Qadars, ZeusVM, Neverquest/Vawtrak, Citadel, GOZ
Injeria
• Used in several banking Trojans: Qadars, Tilon, Torpig
• JS downloaded from external source, using a distinctive URL
• Several different project types
– log-<project-name>
– mob-<project-name>
– req-<project-name>
– app-<project-name>
Injeria
• The code and URL structures
• The admin panel design
• Sometimes underground adverts and features correlation is possible
How to track them?
ATSEngine - ID
ATSEngine - ID
Webinject Delivery
Inline vs. external downloads
Inline vs. external downloads
• Advantages
– Hinder forensic analysis
– Feature based selling
– Maintenance by original seller
– New webinject code does not have to be downloaded right away by the bot
JS – External Download
External Sever Interactions
External Server Interactions
Conclusion
• Webinjects have evolved tremendously in the past few years
• In several banking Trojans, it is the true attack code
• Webinject commoditization is well in place
• As different webinject platforms are available, some are more popular than others
Conclusion
• Special thanks to Anton Cherepanov
• Questions?
@jiboutin
Thank You!!